WordPress vulnerable to yet another, still to be patched XSS flaw | CyberSecurity | Blogs | Blogging | 21st Century Learning and Teaching | Scoop.it
From www.net-security.org - April 27, 2015 5:07 PM
The latest WordPress version (4.2, released on Thursday) and several earlier ones are vulnerable to a stored cross-site scripting (XSS) vulnerability that can be exploited to inject JavaScript in WordPress comments.

"If [the script is] triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors," researcher Jouko Pynnönen of Finnish security company Klikki Oy explained in a security advisory published on Sunday.